GNU bug report logs - #46183
[PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

Previous Next

Package: guix-patches;

Reported by: Ryan Prior <rprior <at> protonmail.com>

Date: Sat, 30 Jan 2021 04:22:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ryan Prior <rprior <at> protonmail.com>
Subject: bug#46183: closed (Re: bug#46183: [PATCH 0/1] Update gcrypt
 [URGENT SECURITY ISSUE])
Date: Mon, 01 Feb 2021 11:51:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 46183 <at> debbugs.gnu.org.

-- 
46183: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=46183
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Guillaume Le Vaillant <glv <at> posteo.net>
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>, 46183-done <at> debbugs.gnu.org,
 Ryan Prior <rprior <at> protonmail.com>
Subject: Re: bug#46183: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]
Date: Mon, 01 Feb 2021 12:50:49 +0100

Hi,

Guillaume Le Vaillant <glv <at> posteo.net> skribis:

> According to the news at https://gnupg.org:
>
> Libgcrypt 1.9.1 released (2021-01-29)   important
>
> Unfortunately we introduced a severe bug in Libgcrypt 1.9.0 released 10 days ago.
> If you already started to use version 1.9.0 please update immediately to 1.9.1.
>
> Currently the master and staging branch are using libgcrypt 1.8.5 and
> core-updates is using 1.8.7. These versions don't have the critical bug
> as it was introduced in version 1.9.0. So I think updating libgcrypt on
> master is not an emergency, we just have to remember to never use
> version 1.9.0.

Indeed.  So closing this bug.  That said, we can update libgcrypt in
‘core-updates’.

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Ryan Prior <rprior <at> protonmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH 0/1] Update gcrypt [URGENT SECURITY ISSUE]
Date: Sat, 30 Jan 2021 04:20:50 +0000

Hi Guix! Please review ASAP. This update fixes an exploitable heap overflow.

 ## Info

https://dev.gnupg.org/T5275

https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html

Ryan Prior (1):
  gnu: libgcrypt: Update to 1.9.1.

 gnu/packages/gnupg.scm | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

-- 
2.30.0
This bug report was last modified 4 years and 106 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.